Immutability as an Operational Constraint Rather Than a Security Feature
DOI:
https://doi.org/10.63282/3050-9262.IJAIDSML-V3I2P119Keywords:
Immutability, Operational Constraints, Distributed Systems, Append-Only Logs, Storage Systems, Data Governance, Incident Response, Compliance, Reliability Engineering, Infrastructure-As-CodeAbstract
Immutability is being more and more identified as a fundamental trait of contemporary digital systems right from simple append-only logs and object storage to distributed ledgers and infrastructure-as-code. And it is mostly touted as a security measure in a very narrow sense that only by making tampering, preserving evidence, and trust enforcement in a hostile environment physically impossible can the security feature be justified. We think that such a portrayal is not only partial but, as a matter of fact, in many cases, far from the truth and we disprove it here by a thorough exposé of the issue. Our alternative proposition is that immutability should primarily be regarded as an operational design constraint, i.e. one that determines the very nature of how the systems are built, handled and recovered over time. We carry out, through a conceptual dissection buttressed with an empirical study, a thorough examination of the detrimental consequences of organizations blindly deploying immutable components without the necessary insight into what these components actually imply at the operational level. The analysis reveals that the principle of immutability brings about alterations in failure modes thereby generating new problems rather than doing away with the old ones: it is simply impossible to rectify errors "in situ, " the operation of rollback loses its simplicity, and the mistakes get duplicated through the execution of replication along with automation. The case study depicts the dual effects of immutable logs and storage that, on the one hand, enhance auditability but, on the other hand, pose difficulties of retention, cost escalation, slow incident response, as well as the challenge of governance of corrective actions. Major outcomes are along the lines of indicating that the major resultant consequences of immutability are felt in lifecycle management, versioning, reconciliation, and recovery workflows, thus it is not a matter of threat prevention per se.
References
[1] Weber, Sam, et al. "Empirical studies on the security and usability impact of immutability." 2017 IEEE Cybersecurity Development (SecDev). IEEE, 2017.
[2] Parakala, Adityamallikarjunkumar, and Aaron Bell. "How Citizen Developers Changed the Game." American International Journal of Computer Science and Technology 3.5 (2021): 14-24.
[3] Pechtchanski, Igor, and Vivek Sarkar. "Immutability specification and its applications." Proceedings of the 2002 joint ACM-ISCOPE conference on Java Grande. 2002.
[4] Katangoori, Sivadeep, and Anudeep Katangoori. “AI-Augmented Data Governance: Enabling Intelligent Access, Lineage, and Compliance across Hybrid Clouds”. American Journal of Autonomous Systems and Robotics Engineering, vol. 1, Nov. 2021, pp. 716-38
[5] Perry, Michael L. "The art of immutable architecture." Apress: New York, NY, USA (2020).
[6] Turner, PA Muckelbauer RC Taylor SJ, et al. "The inevitability of failure: The flawed assumption of security in modern computing environments." 21st National Information Systems Security Conference. 1998.
[7] Gaddam, Rohit Reddy. “Hermetic ML Environments Using Conda-Lock and Docker”. American International Journal of Computer Science and Technology, vol. 3, no. 4, July 2021, pp. 22-34
[8] Casino, Fran, et al. "Immutability and decentralized storage: An analysis of emerging threats." IEEE access 8 (2019): 4737-4744.
[9] Muppaneni, Kavya. “HTTP/3/&/REST/Latency/Improvement”. International Journal of Emerging Research in Engineering and Technology, vol. 2, no. 1, Mar. 2021, pp. 122-3.
[10] Coblenz, Michael, et al. "Exploring language support for immutability." Proceedings of the 38th International Conference on Software Engineering. 2016.
[11] Muppaneni, Rajarshi Krishna. “Securing the Enterprise: How Dynamics 365 Meets Global Compliance Standards”. International Journal of Emerging Research in Engineering and Technology, vol. 2, no. 1, Mar. 2021, pp. 133-4
[12] Östlund, Johan, et al. "Ownership, uniqueness, and immutability." International Conference on Objects, Components, Models and Patterns. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008.
[13] Tschantz, Matthew S., and Michael D. Ernst. "Javari: Adding reference immutability to Java." Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. 2005.
[14] Mykletun, Einar, Maithili Narasimha, and Gene Tsudik. "Signature bouquets: Immutability for aggregated/condensed signatures." European symposium on research in computer security. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004.
[15] Suryadevara, Siva Sai Krishna. “Generative AI–Powered Authoring Assistant for Enterprise Content Management”. International Journal of Artificial Intelligence, Data Science, and Machine Learning, vol. 2, no. 2, June 2021, pp. 103-1
[16] Tariq, Usman, et al. "Blockchain in internet‐of‐things: a necessity framework for security, reliability, transparency, immutability and liability." IET Communications 13.19 (2019): 3187-3192.
[17] Gaddam, Rohit Reddy. “Vertex AI as a Unified Control Plane for MLOps”. International Journal of Artificial Intelligence, Data Science, and Machine Learning, vol. 2, no. 2, June 2021, pp. 92-102
[18] Clarke, Jessica A. "Against immutability." Yale LJ 125 (2015): 2.
[19] Jaeger, Trent. Operating system security. Springer Nature, 2022.S
[20] Kumar Doodala, Appala Nooka. “Intelligent EOB ERA Generation and Validation Framework on Legacy Systems Like Mainframes”. International Journal of Emerging Research in Engineering and Technology, vol. 2, no. 1, Mar. 2021, pp. 111-2.
[21] Mahmoud, Chaira, and Sofiane Aouag. "Security for internet of things: A state of the art on existing protocols and open research issues." Proceedings of the 9th international conference on information systems and technologies. 2019.
[22] Carelli, Alberto, et al. "Enabling secure data exchange through the iota tangle for iot constrained devices." Sensors 22.4 (2022): 1384.
[23] Parakala, Adityamallikarjunkumar. "Building Analytics-Driven Bots: RPA Meets Business Intelligence." International Journal of Emerging Research in Engineering and Technology 2.1 (2021): 77-87.
[24] Vandebogart, Steve, et al. "Labels and event processes in the Asbestos operating system." ACM Transactions on Computer Systems (TOCS) 25.4 (2007): 11-es.
